Severe non-malware attacks and ransomware are the two stand-out malicious behaviors of 2016. When combined, as they have been with the PowerWare extortion, the attack can be both dangerous and difficult to detect.
Carbon Black analyzed data from more than 1,000 customers representing 2.5 million endpoints. It found (PDF) that nearly all organizations have been targeted by non-malware attacks in 2016, and that in any 90-day period, about one-third of all organizations will encounter at least one such attack. Incidences of non-malware attacks spiked by more than 90% in the second quarter of 2016, and have remained at elevated levels ever since.
Ransomware is the fastest-growing malware across all industries, and instances grew by 50% over the year. Locky is the most used variety, used in one out of every four ransomware attacks. Other popular families include CryptoWall, CryptXXX, Bitman (TeslaCrypt) and Onion (or CTB Locker). In March 2016 Carbon Black discovered PowerWare, a non-malware ransomware.
PowerWare uses Microsoft PowerShell to avoid dropping detectable malware onto the disk. The technique, however, is not limited to ransomware. “The alleged hack against the Democratic National Committee (DNC) earlier this year,” notes Carbon Black, “was reported to have leveraged both PowerShell and Windows Management Instrumentation (WMI) in order for attackers to move laterally and remain undetected.”
SecurityWeek talked to Ben Johnson, co-founder and Chief Security Strategist at Carbon Black, to see how non-malware attacks operate, and how they can be detected and prevented.
“Non-malware attacks have been around for a few years, but have really picked up steam this year,” Johnson said. “It’s the bad guys ‘living off the land’; making use of applications that are part of and trusted by the operating system in order to go undetected.”
A typical attack scenario could include a phishing email with an attached Microsoft Office document. The document would contain a macro. If the user can be lured into running the macro, then from system memory that macro could issue instructions to a variety of system apps. The most commonly used are PowerShell and WMI, but it could be any, such as FTP, that can script and copy and perform other basic functions.
The point, said Johnson, is “the whole kill chain can be conducted without installing anything or dropping any binary to disk. When we talk about non-malware leveraging built-in tools like PowerShell or FTP or Remote Desktop the attack is using something that sys admins would normally use anyway.”
Most defenses are looking for known malware or new and strange binaries. “They tend to just assume that if it’s a trusted OS utility it must be OK — I’m just going to let it run, I’m not even going to watch it. That’s one of the main reasons why non-malware attacks are on the rise,” said Johnson.
Detecting non-malware intrusions requires more than just looking at files; it requires monitoring processes. “The easiest approach, but not the be all and end all of it, is to look at the relationship and the command line,” he explained. “As soon as you can see PowerShell being used, in this case you would say, why is MS Word spawning PowerShell? You have to look at the context where the more traditional approaches just look at the individual programs that are running.”
A second approach is to look at the content of the command line. “What usually happens from an attacker,” he continued, “is a bunch of arguments get pasted onto the command line, and the script itself is usually encoded with say, Base64, so it just looks like random characters rather than English text. If you can recognize unrecognizable text, you know it’s not likely to be good.”
A third approach looks at the execution of the script. “We like to think of it kind of like an iceberg,” he explained. “In a boat, instead of looking at just what’s above the surface, that little piece of the iceberg that’s visible, you have to be aware of everything that’s hidden just below. It’s the same with cyber defense.” So once PowerShell starts running, you check to see if it is behaving normally. Is it trying to access a large number of files in a very short space of time; or perhaps trying to communicate outside of the network? Both of these would be considered unusual and should be blocked.
The key is in establishing what is normal behavior. If you set the bar too high, then uncommon rather than abnormal will be blocked, and business processes will be disturbed. If you set it too low, then malicious activity can proceed undetected. The solution, said Johnson, “is a continuous learning process, tweaking the system to gain the optimum performance in line with the user’s individual risk posture. On this basis we can chose to allow, alert or block.”
But as a rule of thumb, the more the user can whitelist processes — and Johnson and Carbon Black are big supporters of whitelisting — the stronger will be the defense. As an example, suggested Johnson, “If it is known that the only valid use of PowerShell is a particular script from IT that runs at a set time each night to update applications across the system, then this can whitelisted and allowed, and all other uses of PowerShell will automatically be blocked.” In this scenario, PowerWare wouldn’t even get out of its macro.
Related Reading: Breaches are More than Malware